Re: [Zope] how to prevent URL access to an external method?

Tue, 28 Apr 2009 09:20:14 -0700 

In my opinion Tres's way is the correct one for this case

Why? Because the original must be is to run the script only for internal
processes

The main diference between an internal call and a user one is the REQUEST
parameter and then the Tres's solution seems the more convenient way

It's only my opinion

2009/4/28 Jaroslav Lukesh <luk...@seznam.cz>

> Why? It is more transparent and better way - use security tab.
>
>
> ----- Original Message -----
> From: "Tres Seaver" <tsea...@palladion.com>
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Pedro LaWrench wrote:
> >> I need to do something on the filesystem, which requires unrestricted
> >> python, so I created an external method. The problem is that anyone
> >> can call that directly via URL, so I added a permission check. Even
> >> then, users with the sufficient permissions can call this via URL,
> >> which I don't want them to do. I only want them to have access
> >> indirectly from other pages (such as a page template that will pass
> >> sane parameters). Is there anyway to do this?
> >
> > Add a REQUEST argument to your function, defaulting to None.  The
> > publisher will always pass the request in for that argument, while the
> > other templates / scripts should not.  E.g.:
> >
> > def doSomething(self, REQUEST=None):
> >     """ Don't call me directly via a URL!!!
> >     """
> >     if REQUEST is not None:
> >         raise ValueError('Wicked, evil, naughty Zoot!')
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>



-- 
Mis Cosas
http://blogs.sistes.net/Garito
Zope Smart Manager
http://blogs.sistes.net/Garito/670

_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to